Update IE Ratings registry key via logon script in group policy

I am using ratings in internet explorer to prevent users from accessing unauthorized websites. I have found that if I creat e a reg file of that key, I can take it to all other machines and apply it. I would like to have the file in one central location on the server so that i may update it and use group policy \user configuration \ windows settings \ Scripts (logon \ logoff) to perform this task. I am not familiar with creating logon scripts either.

How do you load the template? It seems to give me the option of setting it up but then it modifies my server and applies it to the server as if what I am really doing is modifying the server IE settings. I dont want the server to have the same restrictions.

Whooaa! To access group policy you neeed to figure out where you are going to apply it. At the domain level or at an OU level. Most will be at an OU level. So create an OU, right click on the OU go to properties. Go to Group Policy, Add, Global Policy, Edit, Right-Click Administrative Template, Add-Remove Templates, Add, select all and Add. Now your on your way.

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat. The purpose of this eBook is to educate the reader about ransomware attacks.

I went to properties of the OU (San Rafael) and created a new Group Policy called Terminals and modified that policy. Terminals[d3server.watersavers.local]Policy. I went to User Configuration, Internet Explorer Maintenance, Security, Security Zones and Content Ratings and selected Import the current Content Ratings settings. Whenever I modified this it modified it for the server so I went back to the original state. Did I make a wrong move here? Or is there something else I need to do.

No I have seen this before, while modifying these. My reaction was however intentional. Make absolutely sure that those policies will in no way be associated with the administrator or the server. In fact it is a good idea to document any settings that are restrictive and create a backup administrator account with a group policy that is the converse of any restrictive settings.

My workaround is I exported the ratings registry key with restrictions and without restrictions and created a batch file which I place in their profiles. When an authorized user logs in it runs the batch file which deletes the existing key and inserts the new one. The same occurs with a restricted user except it deletes then adds the reg key with the modifications. When I want to add or remove sites, I go to one of the machines make the modifications, export the registry key and place it on the server so that all systems update via one file. This reg key does not require a reboot to be applied correctly and can be applied while in internet explorer. I created a noaccess.rat which prevents access to all sites except those in the allowed list. Do you have a better solution?

My workaround is I exported the ratings registry key with restrictions and without restrictions and created a batch file which I place in their profiles. When an authorized user logs in it runs the batch file which deletes the existing key and inserts the new one. The same occurs with a restricted user except it deletes then adds the reg key with the modifications. When I want to add or remove sites, I go to one of the machines make the modifications, export the registry key and place it on the server so that all systems update via one file. This reg key does not require a reboot to be applied correctly and can be applied while in internet explorer. I created a noaccess.rat which prevents access to all sites except those in the allowed list. Do you have a better solution?

That's a pretty good way to accomplish your solution, but you really should work with the policies. They will centralize all this kind of adminsitration for you.

My concern expressed above is I have seen techs start playing with policies, and they end up applying them to a server or an administrator group inadvertently. It's not much different to a tech taking all administrator rights away from a file and explicitly giving ownership and rights of that file to an individual. Policies are extremely powerful, I just wanted to make that point. I think you should give them another chance if you have the time.

I would like to stick with group policy. Yes you are right. I have found it to be very powerful. I have found it useful for restricting users capabilities on the machines. I just can't figure out how to apply registry keys or batch files through the policy.

If you import (add) the proper templates into GPs there is not much you can't do. I do agree with regard to registry keys and other batch files. I try to put what I can in the policies, even logon and logoff scripts. Lots of testing. I still end up using a lot of the old methods to get stuff done. I think there will come a time when they will incorporate custom registry changes in them as well.

I know you can create a logon script in Group Policy, so I tried adding the batch file to that location, but it did not work. Is the logon script in Group Policy different then a batch file? Do I have to write a script to run the batch file and if so what scripting language does it use?

Mark.. if you place the batch file in a public share like sysvol and then place the unc path under the logon script it should run. Let me know if it does not. Remember you have some authentication issues during logon, they have to have rights to read the file.

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL

With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…